GoogleOSV:GHSA-5QX9-9FFJ-5R8FMattermost fails to fully validate role changes
2.7 Low
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
HIGH
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
LOW
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N
6.6 Medium
AI Score
Confidence
High
0.0004 Low
EPSS
Percentile
9.1%
Mattermost versions 9.6.0, 9.5.x before 9.5.3, and 8.1.x before 8.1.12 fail to fully validate role changes which allows an attacker authenticated as team admin to demote users to guest via crafted HTTP requests.
References
github.com/mattermost/mattermost
github.com/mattermost/mattermost/commit/3d6d8a7c1f7105558fe266a1b379859a4dba4e9b
github.com/mattermost/mattermost/commit/408ce4a82bb55ce27801f7044d9b3b49e82c47ed
github.com/mattermost/mattermost/commit/fba5b8e348feada9b21290369c3598ccd5c04424
mattermost.com/security-updates
nvd.nist.gov/vuln/detail/CVE-2024-4198
Related
2.7 Low
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
HIGH
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
LOW
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N
6.6 Medium
AI Score
Confidence
High
0.0004 Low
EPSS
Percentile
9.1%